b"September 2006\nReport No. 06-018\n\n\nResponse to Privacy Program\nInformation Request in OMB\xe2\x80\x99s Fiscal\nYear 2006 Reporting Instructions for\nFISMA and Agency Privacy\nManagement\n\n\n\n\n             AUDIT REPORT\n\x0c                                                                                                    Report No. 06-018\n                                                                                                      September 2006\n\n\n\n                                                  Response to Privacy Program Information Request\n                                                  in OMB\xe2\x80\x99s Fiscal Year 2006 Reporting Instructions\n                                                  for FISMA and Agency Privacy Management\nBackground and Purpose of                         Results of Audit\nAudit\n                                                  KPMG reported that the FDIC has taken a number of actions to\nA number of federal statutes, policies, and       protect IIF since the passage of the Privacy Act of 1974 and\nguidelines are aimed at protecting the            continually enhance the corporate privacy protection program,\nconfidentiality, integrity, and availability of   policies, and procedures. Such recent actions include strengthening\ninformation in an identifiable form (IIF)\nfrom unauthorized use, access, disclosure,\n                                                  controls related to IIF and implementing mandatory Web-based\nor sharing and protecting associated              privacy training to promote Privacy Act awareness among FDIC\ninformation systems from unauthorized             employees and contractor personnel. In addition, the FDIC has\naccess, modification, disruption, or              identified 46 systems containing IIF and performed required\ndestruction. Key federal statutes include         Privacy Impact Assessments (PIA) for most of those systems.\nthe Privacy Act of 1974; section 208 of the\nE-Government Act of 2002; and section             These actions were positive; however, the FDIC could further\n522 of the Transportation, Treasury,\nIndependent Agencies, and General                 strengthen its privacy program by completing ongoing efforts to:\nGovernment Appropriations Act, 2005,\nhereafter referred to as section 522.                 \xe2\x80\xa2   monitor and enforce annual privacy awareness training\n                                                          requirements and formalize a privacy training program to\nThe Federal Information Security                          ensure individuals in trusted roles receive job-specific\nManagement Act of 2002 (FISMA) directs                    training;\nfederal agencies to have an annual\nindependent evaluation performed of their\n                                                      \xe2\x80\xa2   implement measures to ensure technologies used to collect,\ninformation security program and practices                use, store, and disclose IIF allow for continuous auditing of\nand to report the results of the evaluation to            compliance with stated privacy policies and practices as\nthe Office of Management and Budget                       required by section 522; and\n(OMB), the Comptroller General, and                   \xe2\x80\xa2   establish and implement a formal plan of action and\nvarious congressional committees. On                      milestones to track privacy program deficiencies such as\nJuly 7, 2006, the OMB issued a\nmemorandum entitled, FY 2006 Reporting\n                                                          those identified in PIAs and required privacy reviews.\nInstructions for the Federal Information\nSecurity Management Act and Agency                In addition, the Corporation should determine when it will submit\nPrivacy Management. In response to                an annual report to the Congress on its privacy protection activities,\nOMB\xe2\x80\x99s request for privacy program                 including complaints of privacy violations, internal controls, and\ninformation, the FDIC Office of Inspector         other relevant matters as discussed in section 522.\nGeneral contracted with KPMG LLP\n(KPMG) to audit and report on the privacy\nmanagement areas addressed in the OMB             Recommendations and Management Response\nmemorandum.\n                                                  KPMG made no recommendations in the report. However, the\nThe objective of this audit was to determine      Privacy Program Manager provided informal comments on a draft\nthe current status of the FDIC\xe2\x80\x99s efforts to       version of this report, which KPMG considered and incorporated\nimplement a corporate-wide privacy                into the report, as appropriate. Under contract with the OIG,\nprotection program. While KPMG did not\nevaluate the FDIC\xe2\x80\x99s privacy program as            KPMG will perform a more in-depth review, as required by section\npart of this audit, the report provides           522, of the FDIC\xe2\x80\x99s use of IIF and related privacy protection policy\ninformation on the program and related            and procedures, and the firm will make appropriate\nactivities.                                       recommendations, if necessary, at that time.\n\n\nTo view the full report, go to\nwww.fdicig.gov/2006reports.asp\n\x0c\x0cResponse to Privacy Program Information Request in\n OMB\xe2\x80\x99s Fiscal Year 2006 Reporting Instructions for\n     FISMA and Agency Privacy Management\n               Report Number 06-018\n\n                  Prepared for the\n        Federal Deposit Insurance Corporation\n             Office of Inspector General\n\n                   FINAL REPORT\n\n\n\n\n                          Prepared by:\n                           KPMG LLP\n                Advisory Services \xe2\x80\x93 Federal Practice\n                       2001 M Street, NW\n                     Washington, DC 20036\n                         (202) 533-3000\n\x0c                           TABLE OF CONTENTS\nINTRODUCTION                                                     2\n\nBACKGROUND                                                       3\n\nRESULTS OF AUDIT                                                 3\n\nSTATUS OF THE FDIC\xe2\x80\x99S PRIVACY PROTECTION POLICIES AND             4\nPROCEDURES\n  Policies and Procedures                                        4\n  Awareness and Training                                         5\n  Privacy Reviews                                                5\n  Privacy Impact Assessments and Notice Requirements             6\n  Persistent Tracking                                            6\n  Internal Oversight                                             7\n  OIG Coordination                                               7\n\nAPPENDIX I: OBJECTIVE, SCOPE, AND METHODOLOGY                    9\n\nAPPENDIX II: PRIVACY-RELATED LAWS, POLICIES, AND GUIDELINES     11\n\n\nACRONYMS\n\n\nCPO          Chief Privacy Officer\nFDIC         Federal Deposit Insurance Corporation\nFISMA        Federal Information Security Management Act\nFOIA         Freedom of Information Act\nGAGAS        Generally Accepted Government Auditing Standards\nIG           Inspector General\nIIF          Information in an Identifiable Form\nISM          Information Security Manager\nKPMG         KPMG LLP\nOIG          Office of Inspector General\nOMB          Office of Management and Budget\nPIA          Privacy Impact Assessment\nPOA&M        Plan of Action and Milestones\nSORN         System of Records Notice\nSSN          Social Security Number\n\x0cINTRODUCTION\n\nOn July 17, 2006, the Office of Management and Budget (OMB) issued Memorandum\nM-06-20 entitled, FY 2006 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management. In response to OMB\xe2\x80\x99s request for privacy\nprogram information, the Federal Deposit Insurance Corporation (FDIC) Office of Inspector\nGeneral (OIG) contracted with KPMG LLP (KPMG) to conduct a performance audit and report\non the privacy management areas addressed in Section D of the OMB memorandum. This is\nthe second year that KPMG has supported the FDIC OIG in this audit work. KPMG conducted\nits performance audit in accordance with generally accepted government auditing standards\n(GAGAS) issued by the Comptroller General of the United States.\n\nThe objective of this audit was to determine the current status of the FDIC\xe2\x80\x99s efforts to\nimplement a corporate-wide privacy program. While KPMG did not evaluate the effectiveness\nof the FDIC\xe2\x80\x99s privacy program as part of this audit, this report provides information on the\nprogram and related activities. Reports on (1) the FDIC OIG responses to specific security-\nrelated questions in the referenced OMB memorandum and (2) the independent security\nevaluation required by the Federal Information Security Management Act of 2002 (FISMA),\nwill be provided under separate cover.1 Those two reports and this report are intended to fulfill\nthe FDIC OIG\xe2\x80\x99s reporting responsibilities under FISMA and related OMB guidance. In\naddition, further information on the effectiveness of the FDIC\xe2\x80\x99s privacy program will be\nprovided as part of the independent, third-party review required under section 522 of the\nTransportation, Treasury, Independent Agencies, and General Government Appropriations Act,\n2005, hereafter referred to as section 522. The FDIC OIG also contracted with KPMG to fulfill\nthe review requirements of section 522.\n\nAppendix I describes our objective, scope, and methodology. Appendix II contains brief\ndescriptions of key privacy-related laws, policies, and guidelines and their applicability to the\nFDIC.\n\nThe FDIC\xe2\x80\x99s Privacy Program Manager provided informal comments in response to a draft of\nthis report. KPMG considered and incorporated the comments, as appropriate, into the report.\nIn general, the Privacy Program Manager agreed with KPMG\xe2\x80\x99s observations for strengthening\nthe FDIC\xe2\x80\x99s privacy program.\n\n\n\n\n1\n Responses to Security-Related Questions in FY 2006 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management (FDIC-OIG Report No. 06-019), dated September 2006; and\nIndependent Evaluation of the FDIC\xe2\x80\x99s Information Security Program \xe2\x80\x93 2006 (FDIC-OIG Report No. 06-022), dated\nSeptember 2006.\n\n\n\n\n                                                        2\n\x0cBACKGROUND\n\nThe protection of sensitive information has never been more important or more threatened.\nThe increasing use of computers to store and retrieve personal data about individuals has\nhighlighted the government\xe2\x80\x99s duty to balance the necessity of maintaining information about\nindividuals with the rights of individuals to be protected against unwarranted invasions of their\nprivacy. In addition, recent high-profile incidents involving the potential compromise or loss\nof sensitive personal information further reinforce the need for federal agencies to implement\nmeasures to protect sensitive information entrusted to them.\n\nA number of federal statutes, policies, and guidelines are aimed at protecting information in an\nidentifiable form (IIF)2 and associated information systems from unauthorized access, use,\ndisclosure, disruption, modification, or destruction, as discussed in Appendix II. One of the\nkey policies is OMB Circular A-130, Management of Federal Information Resources, and its\nappendices.\n\n\nRESULTS OF AUDIT\n\nThe FDIC has taken a number of actions to protect IIF since the passage of the Privacy Act of\n1974 and continually enhanced the corporate privacy program, policies, and procedures. Such\nactions include strengthening controls related to IIF and implementing mandatory Web-based\nprivacy training to promote Privacy Act awareness among corporate employees and contractor\npersonnel. In addition, the FDIC has identified 46 systems containing IIF and completed\nrequired Privacy Impact Assessments (PIAs)3 for 43 of those systems. These actions were\npositive; however, the FDIC could further strengthen its privacy program by completing\nongoing efforts to:\n\n    \xe2\x80\xa2    monitor and enforce annual privacy awareness training requirements and formalize a\n         privacy training program to ensure individuals in trusted roles receive job-specific\n         training;\n    \xe2\x80\xa2    implement measures to ensure technologies used to collect, use, store, and disclose IIF\n         allow for continuous auditing of compliance with stated privacy policies and practices\n         as required by section 522;\n\n\n2\n  OMB defines IIF as information in a system or on-line collection that directly identifies an individual (e.g., name,\naddress, Social Security number (SSN) or other identifying code, telephone number, e-mail address, etc.) or by which\nan agency intends to identify specific individuals in conjunction with other data elements.\n3\n  A PIA is an analysis of how information is handled to: (1) ensure handling conforms to applicable legal, regulatory,\nand policy requirements regarding privacy; (2) determine the risks and effects of collecting, maintaining, and\ndisseminating IIF; and (3) examine and evaluate protections and alternative processes for handling information to\nmitigate potential privacy risks. A PIA is required by the E-Government Act of 2002 (as implemented by OMB\nMemorandum M-03-22) to ensure privacy protections, and Privacy Act requirements are considered when developing\nor procuring new or modified information technology that contains IIF.\n\n\n\n\n                                                          3\n\x0c    \xe2\x80\xa2    establish and implement a formal plan of action and milestones (POA&M) to track\n         privacy management deficiencies such as those identified in PIAs and required privacy\n         reviews; and\n    \xe2\x80\xa2    submit an annual report to the Congress consistent with the provisions of section 522,\n         addressing privacy protection activities, including complaints of privacy violations,\n         internal controls, and other relevant matters.\n\nKPMG is not making recommendations in this report. The FDIC OIG also contracted with\nKPMG to perform a privacy review, as required by section 522, of the FDIC\xe2\x80\x99s use of IIF and\nrelated FDIC privacy and data protection policies and procedures, and the firm will make\nappropriate recommendations, if necessary, at that time.\n\n\nSTATUS OF THE FDIC\xe2\x80\x99S PRIVACY PROTECTION POLICIES AND PROCEDURES\n\nThe FDIC recognizes the need to take additional steps to implement a more effective privacy\nprogram. Since the 2005 OIG privacy evaluation,4 the FDIC continues to develop and\nstrengthen its privacy program, policies, and procedures. KPMG\xe2\x80\x99s review indicated that the\nFDIC has made progress by identifying computer applications processing IIF, establishing\ncorporate privacy awareness training, conducting PIAs and required Privacy Act-related\nreviews, and satisfying records notification requirements. Key privacy initiatives, addressing\nareas in Section D of OMB Memorandum M-06-20, are detailed below.\n\nPolicies and Procedures. In accordance with section 522, the FDIC\xe2\x80\x99s Chief Privacy Officer\n(CPO) has primary responsibility for the Corporation\xe2\x80\x99s privacy protection policy and ensuring\nthat IIF and related information systems are protected.\n\nThe FDIC\xe2\x80\x99s privacy program includes policies and procedures to manage and protect IIF. For\nexample, the FDIC\xe2\x80\x99s PIA guide and template assist system owners in completing PIAs, if they\nare necessary based on the presence of IIF. Further, the FDIC has strengthened and revised its\nprocedures related to the overall sensitivity of FDIC computer applications by using the\nApplication Security Assessment,5 which includes questions to aid identifying any IIF in an\napplication. During FY 2006, the FDIC identified applications containing IIF and developed a\nphased approach for performing PIAs. As of September 20, 2006, the FDIC had completed\nPIAs for 43 out of 46 applications identified as containing IIF. In addition, the FDIC made\n\n\n\n\n4\n  Response to Privacy Program Information Request in OMB\xe2\x80\x99s Fiscal Year 2005 Reporting Instructions for FISMA\nand Agency Privacy Management (FDIC-OIG Report No. 05-033), dated September 16, 2005.\n5\n  The FDIC previously used the Sensitivity Assessment Questionnaire to determine the overall sensitivity of an FDIC\nsystem or application. Certain responses generate specific security control recommendations, including the necessity\nto complete a PIA.\n\n\n\n\n                                                          4\n\x0c sanitized versions of all but one6 of the completed PIAs publicly available on the FDIC\xe2\x80\x99s\nPrivacy Program Web site in accordance with the E-Government Act of 2002 requirements.\nFurthermore, in response to OMB\xe2\x80\x99s Memorandum M-06-16, Protection of Sensitive Agency\nInformation, dated June 23, 2006, the FDIC is drafting a policy that requires encryption of\nproduction data stored at a remote location, authorization for the duplication of IIF information,\nand disposal of any copies of privacy information within 90 days of the duplication. The FDIC\nhas also acted to ensure its remote authentication and \xe2\x80\x9ctime-out\xe2\x80\x9d functions meet OMB\nrequirements.\n\nAwareness and Training. In October 2005, the FDIC implemented corporate-wide privacy\nawareness training that included coverage of privacy laws, regulations, and policies. The\ncompletion of this Web-based course is mandatory for all FDIC employees and contractors.\nThe FDIC tracks training completion using a security awareness and training database.\nHowever, the FDIC could strengthen monitoring and enforcing compliance with the privacy\nawareness training requirements. During the 12 months ended June 2006, the FDIC had\ncreated 983 new user (employee and contractor) accounts. KPMG sampled 45 such user\naccounts and found that 9 of those users had not completed the required privacy awareness\ntraining. The FDIC attributed the lack of compliance to a delay between the privacy awareness\ntraining completion deadline7 and the time divisional Information Security Managers (ISM)\ncould access privacy training compliance reports to perform necessary follow-up. The FDIC is\naddressing this issue, and ISMs have been reminded to comply with the awareness training\nrequirement.\n\nIn addition, the FDIC provides one-on-one or team-specific privacy training on an ad-hoc basis.\nHowever, this type of training has not been incorporated into a formal privacy training\nprogram. The Privacy Program Manager indicated that the Corporation has undertaken an\ninitiative with the Corporate University to provide specific privacy training. A formal job-\nspecific training program would help to ensure that FDIC personnel and contractors directly\ninvolved in administering IIF or information systems processing IIF are familiar with\ninformation privacy laws and regulations applicable to their specific job duties and\nresponsibilities and help prevent inappropriate access and disclosure.\n\nPrivacy Reviews. The FDIC has completed all reviews of FDIC compliance with various\nprovisions of the Privacy Act as required by OMB Circular A-130, Appendix 1, Federal\nAgency Responsibilities for Maintaining Records About Individuals.8 These reviews focus\n\n6\n  A waiver from the public posting requirement was requested for one system due to the sensitivity of the data in the\nsystem, as well as business needs to ensure confidentiality of the system. Such a waiver was consistent with the\nE-Government Act and OMB\xe2\x80\x99s implementing guidance.\n7\n  The privacy training was announced by global e-mail on October 11, 2005 and included a mandatory completion date\nof October 28, 2005.\n8\n  OMB Circular A-130, Appendix I, requires agencies to conduct reviews of the following topics, at the indicated\nfrequency: Section (m) Contract, Recordkeeping Practices, Privacy Act Training, Violations, and System of Records\nNotices every 2 years; Routine Use Disclosures and Exemption of System of Records reviews every 4 years; and\nMatching Programs annually.\n\n\n\n\n                                                         5\n\x0cattention on particular Privacy Act requirements as indicated by the following examples from\nthe circular:\n\n         \xe2\x80\xa2   Recordkeeping Practices. Biennially review agency recordkeeping and disposal\n             policies and practices in order to assure compliance with the Privacy Act, paying\n             particular attention to the maintenance of automated records.\n         \xe2\x80\xa2   Privacy Act Training. Biennially review agency training practices in order to\n             ensure that all agency personnel are familiar with the requirements of the Act, the\n             agency's implementing regulation, and any special requirements of their specific\n             jobs.\n\nPrivacy Impact Assessments and Notice Requirements. The FDIC has made significant\nprogress in identifying systems containing IIF. For example, the FDIC completed an initial\nexercise in September 2005 to identify computer applications with Social Security number\n(SSN) information. Following the completion of this exercise, the FDIC conducted another\nreview to identify systems with any additional IIF data. The FDIC identified 46 applications\ncontaining IIF and developed a phased approach for performing the associated PIAs. As of\nSeptember 20, 2006, the FDIC had completed PIAs for 43 of these applications. The PIAs for\nthe remaining three applications containing IIF are scheduled for completion by December 31,\n2006. Additionally, the FDIC has published 24 System of Records9 Notices (SORN) on the\nFDIC Web site and in the Federal Register, as required by the Privacy Act, and is proposing\n4 new FDIC Privacy Act SORNs to replace the outdated Unofficial Personnel Records notice.10\nThe SORNs help to ensure that information about FDIC maintenance and use of records\ncontaining IIF is publicly disclosed. The FDIC has also included its privacy policies on its\npublic-facing Web site in furtherance of its disclosure activities.\n\nPersistent Tracking. The FDIC continues to annually review the use of persistent tracking\ntechnologies, also known as Web site cookies. There are two types of Web site cookies,\nsession and persistent cookies. Session cookies are temporary and are erased when a user\ncloses the Web browser, whereas persistent cookies remain on a user\xe2\x80\x99s computer until the user\nerases them. The FDIC uses persistent cookies only as part of the Statistics on Depository\nInstitutions application. The FDIC has properly obtained agency-head approval to collect this\ninformation and informs visitors of its use. Additionally, the FDIC posts Privacy Notices on all\npublic Web sites and on any Web page where the FDIC uses session cookies to collect\ninformation consistent with OMB guidance.11\n\n\n\n9\n  The Privacy Act of 1974 states, \xe2\x80\x9cThe term system of records means a group of any records under the control of any\nagency from which information is retrieved by the name of the individual or by some identifying number, symbol, or\nother identifying particular assigned to the individual.\xe2\x80\x9d\n10\n   The Web site contains only the name of the system and indicates that it is to be revised at a later time.\n11\n   OMB Memorandum M-03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002,\ndated September 26, 2003, indicates that where there is a compelling need to use persistent tracking technology, the\nagency must post clear notice of its privacy policy.\n\n\n\n\n                                                         6\n\x0cInternal Oversight. In addition to performing the privacy reviews discussed earlier to comply\nwith requirements in OMB Circular A-130, Appendix I, the FDIC conducts internal reviews of\ncompliance with information privacy laws and regulations. For example, in November 2005,\nthe FDIC conducted a review of several published directives that contain privacy references\nand added or revised content, language, and references, as necessary. Continuing these reviews\nwill help the FDIC to ensure compliance with current privacy requirements, such as OMB\xe2\x80\x99s\nmemorandum M-06-16, Protection of Sensitive Agency Information, dated June 23, 2006,\nwhich emphasized critical safeguards for protecting privacy information on mobile computers\nand devices. The memorandum requires an agency review of these safeguards.\n\nThe FDIC needs to implement measures that would provide assurance that the technologies\nused to collect, use, store, and disclose IIF allow for continuous auditing of compliance with\nstated privacy policies and practices as required by section 522 and discussed in OMB\nMemorandum M-06-20. The need for continuous auditing of systems security controls was\nalso identified in the FY 2006 independent evaluation of the FDIC\xe2\x80\x99s security program.12 The\nPrivacy Program Manager indicated that a DIT project team is evaluating technologies to\nprovide continuous monitoring. Continuous monitoring of compliance controls will provide\nthe FDIC with ongoing awareness and periodic compliance metrics regarding the collection,\nuse, and distribution of IIF. Additionally, the FDIC needs to complete a comprehensive and\nformal POA&M to track privacy program compliance deficiencies. The Privacy Program\nManager indicated that corrective actions related to audits would be tracked through the\ncorporate audit finding tracking system and non-audit related initiatives through the established\nPrivacy Program monthly status report. However, the Privacy Program monthly status report\nwas not always completed and did not consistently include required resources or track items\nthrough completion. A formal POA&M for the privacy program will enhance the FDIC\xe2\x80\x99s\nability to identify, assess, prioritize, and monitor the progress of corrective efforts for identified\nprivacy weaknesses, including those contained in PIAs and privacy reviews.\n\nThe FDIC has determined that the Corporation needs to report annually to Congress regarding\nactivities affecting privacy as required by section 522. The FDIC Privacy Program Manager\nindicated the FDIC plans to comply with this requirement by submitting such a report in\nFY 2006. KPMG intends to follow up in the upcoming section 522 compliance audit to\ndetermine the status on the FDIC\xe2\x80\x99s preparation of this report.\n\nOIG Coordination. The FDIC coordinated with the OIG on privacy program oversight by\nproviding the OIG with a compilation of FDIC privacy and data protection policies and\nprocedures, a summary of the FDIC use of IIF, and verification of the intent to comply with\nboth federal and corporate agency policies and procedures. Section 522 required the FDIC to\nprovide a report containing this information to the Inspector General; the report was received\non September 15, 2005.\n12\n  In the FY 2006 Independent Evaluation of the FDIC\xe2\x80\x99s Information Security Program, (FDIC-OIG Report\nNo. 06-22), dated September 2006, the OIG suggested that the FDIC complete its security risk management\nmethodology to define procedures for performing continuous monitoring of system security controls after system\naccreditation.\n\n\n\n\n                                                         7\n\x0cKPMG is making no recommendations in this report. The FDIC OIG has contracted with\nKPMG to perform a privacy review, designed to meet the various requirements of section 522,\nof the FDIC\xe2\x80\x99s use of IIF and related privacy protection policy and procedures, and the firm will\nmake appropriate recommendations, if necessary, at that time.\n\n\n\n\n                                               8\n\x0c                                                                                  APPENDIX I\n                      OBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objective of KPMG\xe2\x80\x99s performance audit was to determine the current status of the FDIC\xe2\x80\x99s\nefforts to implement a corporate-wide privacy program. The audit focused on privacy program\nareas addressed in Section D of OMB\xe2\x80\x99s July 17, 2006 memorandum M-06-20 entitled, FY 2006\nReporting Instructions for the Federal Information Security Management Act and Agency\nPrivacy Management. As part of the audit work, KPMG reviewed prior OIG reports (listed\nbelow) related to privacy. The results of this audit support the OIG in fulfilling its evaluation\nand reporting responsibilities under FISMA and M-06-20.\n\nTo accomplish the objective, KPMG relied on information-gathering techniques such as\ninterviewing key FDIC officials with privacy responsibilities; reviewing relevant FDIC\npolicies, procedures, and documentation; and performing other appropriate audit procedures.\nAlso, KPMG considered the results from the following OIG reports but did not follow up on\nthe recommendations in those reports. Such follow-up will be performed as part of the required\nreview under section 522.\n\n   \xe2\x80\xa2   FDIC OIG Report No. 05-033, Response to Privacy Program Information Request in\n       OMB\xe2\x80\x99s Fiscal Year 2005 Reporting Instructions for FISMA and Agency Privacy\n       Management, dated September 16, 2005. The objective of the audit was to determine\n       the current status of the FDIC\xe2\x80\x99s efforts to implement a corporate-wide privacy\n       management program. The results of the audit indicated that while the FDIC had taken\n       a number of actions to protect IIF, the FDIC needed to complete several ongoing efforts\n       to strengthen its privacy program. Such efforts included, among other things, the\n       identification of all FDIC-maintained IIF and the establishment of a corporate-wide\n       privacy training and education program.\n\n   \xe2\x80\xa2   FDIC OIG Report No. 06-005, FDIC Safeguards Over Personal Employee Information,\n       dated January 6, 2006. The objective of the evaluation was to evaluate the FDIC's\n       policies, procedures, and practices for safeguarding personal employee information in\n       hardcopy and electronic form. Based on the results of the evaluation, the FDIC OIG\n       noted the FDIC made efforts to enhance its established privacy program in response to\n       legislative requirements and breaches of FDIC employee information. However, the\n       FDIC OIG issued 15 recommendations to help ensure the FDIC complies fully with\n       privacy-related legislation and regulations; identifies personal employee information\n       maintained by the FDIC and its contractors that needs to be protected; and implements\n       sufficient administrative, physical, and technical controls over such information.\n\n   \xe2\x80\xa2   FDIC OIG Report No. 06-016, Controls Over the Disposal of Sensitive FDIC\n       Information by Iron Mountain, Inc., dated June 29, 2006. The objective of the audit\n       was to determine whether the FDIC has adequate controls for ensuring the secure\n       disposal of sensitive information by Iron Mountain for the FDIC's headquarters offices.\n       The results of the audit indicated the FDIC established a number of key controls to\n       ensure the secure disposal of sensitive information by Iron Mountain. However, the\n\n\n\n\n                                                9\n\x0c                                                                                 APPENDIX I\n       FDIC OIG attributed insufficient contract oversight to several inconsistencies with\n       established policy, procedures, and contractual language and issued a total of four\n       recommendations.\n\n   \xe2\x80\xa2   FDIC OIG Report No. 06-017, DRR\xe2\x80\x99s Protection of Bank Employee and Customer\n       Personally Identifiable Information, dated September 15, 2006. The objective of the\n       audit was to determine whether DRR adequately protects IIF collected in hardcopy form\n       that is maintained as a result of resolution and receivership functions. The FDIC OIG\n       reported that the division had not established a Records Management Program that\n       defines recordkeeping requirements for the inventory, maintenance, control, and use of\n       hardcopy documents.\n\nKPMG did not separately perform procedures to review program performance measures, assess\nthe FDIC\xe2\x80\x99s compliance with laws and regulations, evaluate the FDIC\xe2\x80\x99s internal control, or\ndetermine that computer-based data were valid and reliable. In addition, KPMG did not design\nspecific audit procedures to detect fraud; however, throughout the audit, KPMG and the OIG\nwere sensitive to the potential for fraud, waste, abuse, and mismanagement. KPMG performed\nthe audit at the FDIC's offices in Arlington, Virginia, during the period June through August\n2006 in accordance with GAGAS issued by the Comptroller General of the United States.\n\n\n\n\n                                             10\n\x0c                                                                                   APPENDIX II\n\n              PRIVACY-RELATED LAWS, POLICIES, AND GUIDELINES\n\nA number of federal statutes, policies, and guidelines are aimed at protecting IIF from\nunauthorized use, access, disclosure, or sharing and associated information systems from\nunauthorized access, modification, disruption, or destruction. Brief descriptions of key\nprivacy-related statutes, policies, and guidelines and their applicability to the FDIC follow.\n\n\xe2\x80\xa2   The Privacy Act of 1974 imposes various requirements on federal agencies whenever they\n    collect, create, maintain, and distribute records (as defined in the Act, and regardless of\n    whether they are in hardcopy or electronic format) that can be retrieved by the name of an\n    individual or other identifier. One of these requirements is to publish notices in the Federal\n    Register that include information such as the categories of records maintained in the agency\n    systems, the routine uses of the records, and the manner in which individuals may access\n    the information. As a federal agency, the FDIC is subject to the requirements of the Act.\n\n\xe2\x80\xa2   The E-Government Act of 2002, section 208, requires agencies to (1) conduct PIAs of\n    information technology and collections and, in general, make PIAs publicly available;\n    (2) post privacy policies on agency Web sites used by the public; (3) translate privacy\n    policies into a machine-readable format; and (4) report annually to the OMB on compliance\n    with section 208. The FDIC has determined that section 208 applies to the Corporation.\n\n\xe2\x80\xa2   Section 522 of the Transportation, Treasury, Independent Agencies, and General\n    Government Appropriations Act, 2005 requires, among other things, that agencies protect\n    IIF, designate a CPO, conduct PIAs under appropriate circumstances, report to the Congress\n    and agency IG on privacy matters, and provide training to employees on privacy and data\n    protection policies. Section 522 also requires that every 2 years, the agency IG contract\n    with an independent third party to conduct a review of the agency\xe2\x80\x99s privacy program and\n    practices and that the IG issue a report based on that review. Agencies must establish\n    comprehensive privacy and data protection procedures by December 2005. The FDIC has\n    determined that section 522 applies to the FDIC.\n\n\xe2\x80\xa2   OMB Circular No. A-130, Management of Federal Information Resources, Appendix I,\n    Federal Agency Responsibilities for Maintaining Records about Individuals, describes\n    agency responsibilities for implementing the reporting and publication requirements of the\n    Privacy Act of 1974. The FDIC has determined that OMB Circular No. A-130, Appendix I,\n    applies to the Corporation. Subsequent OMB policy provides additional information\n    regarding agency responsibilities for designating a senior agency official for privacy,\n    conducting PIAs, developing privacy policies for Web sites, providing privacy education to\n    employees and contractor personnel, and reporting privacy activities.\n\n\xe2\x80\xa2   OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions\n    of the E-Government Act of 2002, provides information to agencies on implementing the\n    privacy provision of the E-Government Act of 2002. The guidance directs agencies to\n\n\n\n\n                                                11\n\x0c                                                                                APPENDIX II\n    conduct reviews of how information about individuals is handled within their agencies\n    when they use information technology to collect new information, or when agencies\n    develop or buy new information technology systems to handle collections of PII. The FDIC\n    has taken steps to implement this memorandum.\n\n\xe2\x80\xa2   OMB Memorandum M-05-08, Designation of Senior Agency Officials for Privacy,\n    contains OMB\xe2\x80\x99s request that each executive department and agency identify to OMB the\n    senior official who has the overall agency-wide responsibility for information privacy\n    issues. The FDIC complied with this request by designating the FDIC Chief Information\n    Officer as the Senior Official for Privacy.\n\n\xe2\x80\xa2   OMB Memorandum M-06-15, Safeguarding Personally Identifiable Information,\n    describes responsibilities under law and policy to appropriately safeguard sensitive PII and\n    training employees on their responsibilities in this area. OMB requires the senior official\n    for privacy to conduct a review of policies and processes and take corrective action as\n    appropriate to ensure adequate safeguards to prevent misuse or unauthorized access to PII.\n    Any weaknesses found are to be identified in security POA&Ms already required by\n    FISMA. Although the level of legal applicability of this memorandum has not been\n    determined, the FDIC has taken steps to implement its provisions.\n\n\xe2\x80\xa2   OMB Memorandum M-06-16, Protection of Sensitive Agency Information, requires\n    departments and agencies to take specific actions to provide for the protection of sensitive\n    information. Requirements include the encryption of all data on mobile computers/devices\n    that carry sensitive data, two-factor authentication for remote access, \xe2\x80\x9ctime-out\xe2\x80\x9d functions\n    for remote access and mobile devices, and the logging of all computer-readable data\n    extracts from databases holding sensitive information. Although the level of legal\n    applicability of this memorandum has not been determined, the FDIC has taken steps to\n    implement its provisions.\n\n\xe2\x80\xa2   OMB Memorandum M-06-20, FY 2006 Reporting Instructions for the Federal\n    Information Security Management Act and Agency Privacy Management, directs senior\n    agency officials for privacy to answer a series of questions about their agency\xe2\x80\x99s privacy\n    programs. These questions are based, in part, on agency implementation of the privacy\n    provisions of the E-Government Act of 2002. In addition to the questions, the\n    memorandum requires the agency officials to report on the results of privacy program\n    reviews and identify physical or electronic incidents involving the loss of or unauthorized\n    access to PII. The memorandum also requests that agency IGs provide information about\n    their agency\xe2\x80\x99s privacy program and related activities, as appropriate, and provide a list of\n    any systems that are missing from the agency\xe2\x80\x99s inventory of major information systems.\n\n\xe2\x80\xa2   Homeland Security Presidential Directive (Hspd)-12, the Policy for a Common\n    Identification Standard for Federal Employees and Contractors. Hspd-12 requires\n    agencies to be in compliance with a standard architecture for a common identification\n\n\n\n\n                                                12\n\x0c                                                                            APPENDIX II\n    standard for federal employees and contractors by November 2006. The FDIC is not legally\n    bound by this requirement but intends to follow it.\n\n\xe2\x80\xa2   FDIC Circular 1031.1, Administration of the Privacy Act, establishes requirements for the\n    collection, maintenance, use, and dissemination of records subject to the Privacy Act of\n    1974.\n\n\xe2\x80\xa2   Division of Information and Technology IT Policy Memorandum, January 24, 2001,\n    Cookies in Internet Products, establishes the policy and standard for use of cookies in\n    Internet, FDICnet, and extranet-type products developed or deployed by FDIC.\n\n\n\n\n                                              13\n\x0c"